With WordPress being the most popular CRM style website platform, used by 26% or all websites, a security problem with a popular SEO plug-in within WordPress has been a serious issue. WordPress however have now fixed the flaw and you can update your website with the new version from this Friday.

What Was The Problem?

The WordPress system allows website owners to quickly and easily update and add to their website by adding all manner of code and functionality in the form of pre-written plug-ins’ that can be searched for, downloaded and installed automatically.

The security issue related to a flaw in the code for one of the very popular and widely installed plug-ins called “The All in One SEO Pack”, downloaded by 30 million users and estimated to be in use now in a million websites.

A ‘Bot Blocker’ component was used in the plug-in to detect and block spam bots based on their user agent and referrer header values, and it was in this element that the vulnerability was discovered.

Exploited

This Bot Blocker had a flaw in the code which meant that it could be exploited remotely by sending HTTP requests with specifically crafted headers to the website. Hackers then were able to put malicious Javascript into these headers that could be logged inside the tracked bot panel page, and then executed to steal an admin’s session token.

Totally anonymous users therefore could relatively easily get into a WordPress website that had the plug-in installed and store an XSS (JavaScript) payload in the dashboard without the website owner / administrator knowing. Finding the admin details is of course vital to hackers / cyber criminals being able to take over a website.

The seriousness of flaws in some aspects of WordPress has been highlighted several times in recent years such as when 26,000 WordPress websites with the Pingback function enabled were used as part of a botnet to launch DDoS attacks on other websites back in February this year.

What Does This Mean For Your Business?

The discovery of this latest flaw means that if your business website is a WordPress website that has the All in One SEO Pack installed you will need to make sure that you upgrade to this to the latest 2.3.7. version as soon as possible (after Friday), or you can make sure that you don’t have the Track Blocked Bots setting enabled in the website.